Earlier this year, the healthcare industry was rocked by a significant cyberattack on Change Healthcare and is still grappling with the aftershocks. Let’s look at the impact: Change Healthcare, processing 15 billion healthcare transactions annually and touching 1 in every 3 patient records, faced what American Hospital Association CEO Richard J. Pollack dubbed as the most significant cyber-attack in US healthcare history.
This attack is just one among the many assaults on healthcare data that occur annually. As we navigate this evolving threat landscape, it’s clear that traditional approaches to data security are no longer sufficient. It’s time we ask: What more can be done to better protect our healthcare data?
When it comes to cybersecurity, businesses and organizations are overlooking critical blind spots that leave their sensitive data extremely vulnerable. The traditional approach to cybersecurity has often revolved around fortifying digital perimeters, focusing on locking away sensitive data to prevent breaches.
However, this approach poses limitations. If we can’t access the data, we’re ultimately hindering the discovery of valuable insights derived from data analysis. We’re in the age where data fuels innovation, especially in sectors like healthcare, where insights from protected health information (PHI) can drive life-saving breakthroughs. This is where the problem lies – there's a very real gap between cybersecurity protocols and practical data usage. This is where sensitive data becomes vulnerable, and where breaches become likely.
Protecting data shouldn’t stop at fortifying digital perimeters. While there’s an array of tools to monitor and restrict access to sensitive data, the binary condition of full access or no access often leads to workarounds and exceptions that compromise security.
Consider the prevalent use of Business Associate Agreements (BAAs) in healthcare. While these agreements establish contractual obligations (think HIPAA compliance) for data protection, they fall short of providing actual data security. Every time data is shared with a third party through a BAA, organizations relinquish control over that data, exposing themselves to significant risks.
The number of data breaches associated with partners with BAAs in place is on the rise. Especially in healthcare – which faces more third-party data breaches than any other industry – the ramifications can be far-reaching. Take the infamous MOVEit breach, which targeted not only the healthcare industry but government organizations, financial institutions and more in May 2023. To date, more than 2700 organizations and nearly 95 million individuals were impacted when data was stolen from the file-transfer platform – data that was, by regulatory standards, “compliantly being shared.”
So, while we need to bridge the gap between cybersecurity protocols and practical usage, being HIPAA compliant when using the data isn’t synonymous with security. We need solutions that protect data while retaining its utility. Privacy-enhancing technologies can bridge the gap between theory and real-world application, bringing policy controls to the data layer where usage restrictions can be articulated beyond full access or no access.
Enter the concept of “The Protected Data Age.” In this era, the focus shifts from merely locking down data to protecting it wherever it is shared. There are many opportunities to build more resilience into the way healthcare data is managed. It's about striking a delicate balance between harnessing the predictive potential of personal data and safeguarding individual privacy.
One avenue to explore is to minimize the footprint of data sets that truly require PHI to be present. For analytic workloads, for example, it is advantageous to work exclusively with de-identified data. Less copies of sensitive data means less attack vectors. When healthcare data never needs to be linked or matched, anonymizing data through full redaction of PHI is best.
However, many important use cases still require the ability to join multiple data flows together at the patient level. One promising approach to achieve this is through Partitioned Knowledge Orchestration (PKO), a technique within the realm of secure multi-party computation. PKO offers a pathway to secure data sharing by dissociating identity from information, minimizing the risk of exposure.
By adopting a proactive stance toward protecting sensitive data – de–identifying data at rest and utilizing PKO if we need to connect disparate data sources – we can find a balance between data utility and security. This proactive approach aligns with the overarching goal of fortifying cybersecurity defenses across the healthcare sector.
The Change Healthcare cyberattack serves as a wake-up call for the healthcare industry. It’s time to embrace a proactive approach to cybersecurity that prioritizes advanced de-identification solutions, protects data wherever it is shared, and closes the gap between security protocols and practical data usage. Together, let’s pave the way for a safer, more resilient healthcare ecosystem that fosters innovation while safeguarding patient privacy.